-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

All times are UTC - 5 hours [ DST ]



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
 Post subject: Hibernate Row Level Security, a couple ideas
PostPosted: Thu Jul 09, 2015 10:51 am 
Newbie

Joined: Thu May 07, 2009 11:00 am
Posts: 1
Hey all. Trying to implement a row level security solution, where certain administrators only have access to employees in defined organizations (more complicated than that, but that's the gist). After much googling, I found no good solutions. If someone has suggestions, I'd me very appreciative. Failing that, I decided to try and write my own. I've got a couple ideas:

Idea 1:
Use the @PostLoad callback to check whether the loaded entity has permission to be loaded by the administrator in context.

The Explanation:
After loading an employee, the @PostLoad can do whatever logic I need to determine if the administrator in context (available through a ThreadLocal) has permissions to review the employee object which was just loaded.

The Problem:
Two problems really. I'd prefer to be able to null out the object if the user does not have access, but I can't null out an object from within that object. Also, this solution requires me to do the logic checks after the DB call, which I'd prefer to avoid for efficiency sake.


Idea 2:
Create a new annotation similar to @Where, indicating that the returned object should be subject to special criteria.

The Explanation:
I can create an @Where with a clause which should be included on all generated HQL queries retrieving that value (e.g. "is_active=1"). That seems like logically the location I'd like to add these row-level security clauses. Unfortunately I can't dynamically modify the content of that clause (e.g. to change it to "org_id=1" vs "org_id=2"). If I could emulate the @Where annotation I could extend it to allow for dynamically created clauses (I'd make these available through a threadlocal), and the problem is solved.

The Problem:
I can't tell ascertain where the Hibernate annotations are being processed, and if I found it not sure I could extend it. I could of course dupe it and inject a new class into the jar, but that is unsanitary and difficult to maintain- don't want to consider it.


I'd love any feedback. Thanks!


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.